vault

mirrors/vault

Fork 0

mirror of https://github.com/hashicorp/vault.git synced 2025-08-17 20:17:00 +02:00

Commit Graph

Author	SHA1	Message	Date
Alexander Scheel	daf72aa427	Fix transit import/export of hmac-only keys (#20864 ) * Fix export of HMAC typed keys When initially implemented, exporting HMAC keys resulted in returning the unused, internal HMACKey value rather than the main Key value that is used for HMAC operations. This is a breaking change. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Consistently handle HMAC keys in keysutil When generating HMAC-typed keys, set HMACKey = Key consistently, to allow users of HMAC-typed keys to use them backwards compatibly. Notably, this could discard the (unused) HMACKey field set today. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add test proving export of HMAC keys work Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>	2023-05-31 18:04:08 +00:00
Alexander Scheel	63ccb60b9a	Transit BYOK export capabilities (#20736 ) * Add WrapKey capabilities to keysutil This allows one keysutil to wrap another key, assuming that key has an type matching one of keysutil's allowed KeyTypes. This allows completing the BYOK import loop with Transit, allowing imported wrapping keys to export (wrap) other keys in transit, without having them leave in plaintext. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add /byok-export/:dst/:src[/:version] to Transit Still respecting exportable, we allow encrypted-only export of transit keys to another cluster using the BYOK semantics. In particular, this allows an operator to securely establish key material between two separate Transit installations. This potentially allows one cluster to be used as a source cluster (encrypting a large amount of data) and a second cluster to decrypt this data later. This might be useful in hybrid or site-specific deployments of Vault for instance. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add missing dependency to sdk/, vault/ Also updates to a newer version while we're here. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add documentation on BYOK export Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add tests for BYOK export/import Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update website/content/api-docs/secret/transit.mdx * Update builtin/logical/transit/path_byok.go Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>	2023-05-30 21:42:41 +00:00

Author

SHA1

Message

Date

Alexander Scheel

daf72aa427

Fix transit import/export of hmac-only keys (#20864 )

* Fix export of HMAC typed keys

When initially implemented, exporting HMAC keys resulted in returning
the unused, internal HMACKey value rather than the main Key value that
is used for HMAC operations.

This is a breaking change.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Consistently handle HMAC keys in keysutil

When generating HMAC-typed keys, set HMACKey = Key consistently, to
allow users of HMAC-typed keys to use them backwards compatibly.

Notably, this could discard the (unused) HMACKey field set today.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test proving export of HMAC keys work

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

2023-05-31 18:04:08 +00:00

Alexander Scheel

63ccb60b9a

Transit BYOK export capabilities (#20736 )

* Add WrapKey capabilities to keysutil

This allows one keysutil to wrap another key, assuming that key has an
type matching one of keysutil's allowed KeyTypes. This allows completing
the BYOK import loop with Transit, allowing imported wrapping keys to
export (wrap) other keys in transit, without having them leave in
plaintext.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add /byok-export/:dst/:src[/:version] to Transit

Still respecting exportable, we allow encrypted-only export of transit
keys to another cluster using the BYOK semantics.

In particular, this allows an operator to securely establish key
material between two separate Transit installations. This potentially
allows one cluster to be used as a source cluster (encrypting a large
amount of data) and a second cluster to decrypt this data later. This
might be useful in hybrid or site-specific deployments of Vault for
instance.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing dependency to sdk/, vault/

Also updates to a newer version while we're here.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on BYOK export

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for BYOK export/import

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update website/content/api-docs/secret/transit.mdx

* Update builtin/logical/transit/path_byok.go

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

2023-05-30 21:42:41 +00:00

2 Commits